Tomcat version: 8.5.31
O/S: Windows Server 2008 R2

McAfee vulnerability checker has reported a MEDIUM level vulnerability as

Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32
[FID 23621]

Apache Software Foundation reports this in  annou...@tomcat.apache.org

CVE-2018-8014 Insecure defaults for CORS filter

and the only mitigation is to "Configure the filter appropriately for your

My question is:

What if you don't have a CORS filter configured anywhere in the Tomcat and
web apps associated web.xml files?

It seems that if you explicitly configure a minimum filter specified in the


then you have to be concerned about the cors.support.credentials allowing
the default of "true".



Richard M. Bradley (Rick)

*Geospatial Engineer*
Sanborn Map Company, Inc.
Phone number: (303) 236-4538

"Decide that you want it more than you're afraid of it.  Your greatest
dreams are all on the other side of the wall of fear and caution."

- Unknown

This e-mail, including any attachments, contains information intended only
for the use of the individual or entity to which it is addressed and may
contain information that is privileged and/or confidential or is otherwise
protected by law. If you are not the intended recipient or agent or an
employee responsible for delivering the communication to the intended
recipient, you are hereby notified that any review, use, disclosure,
copying and/or distribution of its contents is prohibited. If you have
received this e-mail in error, please notify us immediately by reply to
sender only and destroy the original.

Reply via email to